From c1b077dc2ddde24e0ad7886a8eed4c07963a37e1 Mon Sep 17 00:00:00 2001 From: TymKh Date: Wed, 6 Aug 2025 12:30:17 +0200 Subject: [PATCH 1/3] separate secrets --- adapters/secrets/service.go | 18 +++++++++++------- cmd/httpserver/main.go | 6 +++--- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/adapters/secrets/service.go b/adapters/secrets/service.go index 5344c38..255fda7 100644 --- a/adapters/secrets/service.go +++ b/adapters/secrets/service.go @@ -11,11 +11,11 @@ import ( ) type Service struct { - sm *secretsmanager.SecretsManager - secretName string + sm *secretsmanager.SecretsManager + secretPrefix string } -func NewService(secretName string) (*Service, error) { +func NewService(secretPrefix string) (*Service, error) { sess, err := session.NewSession(&aws.Config{ Region: aws.String("us-east-2"), }) @@ -26,14 +26,18 @@ func NewService(secretName string) (*Service, error) { // Create a Secrets Manager client svc := secretsmanager.New(sess) - return &Service{sm: svc, secretName: secretName}, nil + return &Service{sm: svc, secretPrefix: secretPrefix}, nil } var ErrMissingSecret = errors.New("missing secret for builder") +func (s *Service) secretName(builderName string) string { + return s.secretPrefix + "_" + builderName +} + func (s *Service) GetSecretValues(builderName string) (json.RawMessage, error) { input := &secretsmanager.GetSecretValueInput{ - SecretId: aws.String(s.secretName), + SecretId: aws.String(s.secretName(builderName)), } result, err := s.sm.GetSecretValue(input) @@ -56,7 +60,7 @@ func (s *Service) GetSecretValues(builderName string) (json.RawMessage, error) { func (s *Service) SetSecretValues(builderName string, values json.RawMessage) error { input := &secretsmanager.GetSecretValueInput{ - SecretId: aws.String(s.secretName), + SecretId: aws.String(s.secretName(builderName)), } result, err := s.sm.GetSecretValue(input) @@ -76,7 +80,7 @@ func (s *Service) SetSecretValues(builderName string, values json.RawMessage) er } sv := &secretsmanager.PutSecretValueInput{ - SecretId: aws.String(s.secretName), + SecretId: aws.String(s.secretName(builderName)), SecretString: aws.String(string(newSecretString)), } _, err = s.sm.PutSecretValue(sv) diff --git a/cmd/httpserver/main.go b/cmd/httpserver/main.go index 454ab79..4abc69e 100644 --- a/cmd/httpserver/main.go +++ b/cmd/httpserver/main.go @@ -85,10 +85,10 @@ var flags = []cli.Flag{ EnvVars: []string{"POSTGRES_DSN"}, }, &cli.StringFlag{ - Name: "secret-name", + Name: "secret-prefix", Value: "", Usage: "AWS Secret name", - EnvVars: []string{"AWS_BUILDER_CONFIGS_SECRET_NAME"}, + EnvVars: []string{"AWS_BUILDER_CONFIGS_SECRET_NAME", "AWS_BUILDER_CONFIGS_SECRET_PREFIX"}, }, &cli.BoolFlag{ Name: "mock-secrets", @@ -156,7 +156,7 @@ func runCli(cCtx *cli.Context) error { log.Info("using mock secrets storage") sm = domain.NewMockSecretService() } else { - sm, err = secrets.NewService(cCtx.String("secret-name")) + sm, err = secrets.NewService(cCtx.String("secret-prefix")) if err != nil { log.Error("failed to create secrets manager", "err", err) return err From d14325e35ca6e09d79521f402efc2af6775da739 Mon Sep 17 00:00:00 2001 From: TymKh Date: Tue, 12 Aug 2025 13:09:40 +0200 Subject: [PATCH 2/3] create secret on write --- adapters/secrets/service.go | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/adapters/secrets/service.go b/adapters/secrets/service.go index 255fda7..5d02324 100644 --- a/adapters/secrets/service.go +++ b/adapters/secrets/service.go @@ -6,6 +6,7 @@ import ( "errors" "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/secretsmanager" ) @@ -42,6 +43,11 @@ func (s *Service) GetSecretValues(builderName string) (json.RawMessage, error) { result, err := s.sm.GetSecretValue(input) if err != nil { + // If the secret doesn't exist, return empty JSON for new builders + var awsErr awserr.Error + if errors.As(err, &awsErr) && awsErr.Code() == secretsmanager.ErrCodeResourceNotFoundException { + return json.RawMessage("{}"), nil + } return nil, err } secretData := make(map[string]json.RawMessage) @@ -59,15 +65,37 @@ func (s *Service) GetSecretValues(builderName string) (json.RawMessage, error) { } func (s *Service) SetSecretValues(builderName string, values json.RawMessage) error { + secretName := s.secretName(builderName) input := &secretsmanager.GetSecretValueInput{ - SecretId: aws.String(s.secretName(builderName)), + SecretId: aws.String(secretName), } result, err := s.sm.GetSecretValue(input) + var secretData map[string]json.RawMessage + if err != nil { + // If the secret doesn't exist, create it + var awsErr awserr.Error + if errors.As(err, &awsErr) && awsErr.Code() == secretsmanager.ErrCodeResourceNotFoundException { + // Create a new secret with the builder's values + secretData = map[string]json.RawMessage{builderName: values} + newSecretString, marshalErr := json.Marshal(secretData) + if marshalErr != nil { + return marshalErr + } + + createInput := &secretsmanager.CreateSecretInput{ + Name: aws.String(secretName), + SecretString: aws.String(string(newSecretString)), + } + _, createErr := s.sm.CreateSecret(createInput) + return createErr + } return err } - secretData := make(map[string]json.RawMessage) + + // Secret exists, update it + secretData = make(map[string]json.RawMessage) err = json.Unmarshal([]byte(*result.SecretString), &secretData) if err != nil { return err @@ -80,7 +108,7 @@ func (s *Service) SetSecretValues(builderName string, values json.RawMessage) er } sv := &secretsmanager.PutSecretValueInput{ - SecretId: aws.String(s.secretName(builderName)), + SecretId: aws.String(secretName), SecretString: aws.String(string(newSecretString)), } _, err = s.sm.PutSecretValue(sv) From c00c5577fe08a6d88358a82e07917ecf6ac225a9 Mon Sep 17 00:00:00 2001 From: bakhtin Date: Tue, 12 Aug 2025 12:52:41 +0100 Subject: [PATCH 3/3] Change secret prefix Signed-off-by: bakhtin --- adapters/secrets/service.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/adapters/secrets/service.go b/adapters/secrets/service.go index 5d02324..7452ff2 100644 --- a/adapters/secrets/service.go +++ b/adapters/secrets/service.go @@ -33,7 +33,7 @@ func NewService(secretPrefix string) (*Service, error) { var ErrMissingSecret = errors.New("missing secret for builder") func (s *Service) secretName(builderName string) string { - return s.secretPrefix + "_" + builderName + return s.secretPrefix + "/" + builderName } func (s *Service) GetSecretValues(builderName string) (json.RawMessage, error) {